[PATCH] net/ncsi: prevent memory leak in ncsi_rsp_handler_gc

[PATCH] net/ncsi: prevent memory leak in ncsi_rsp_handler_gc

[Navid Emamdoost]

In ncsi_rsp_handler_gc if allocation for nc->vlan_filter.vids fails the
allocated memory for nc->mac_filter.addrs should be released.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
 net/ncsi/ncsi-rsp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index d5611f04926d..f3f7c3772994 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -800,8 +800,10 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr)
 	nc->vlan_filter.vids = kcalloc(rsp->vlan_cnt,
 				       sizeof(*nc->vlan_filter.vids),
 				       GFP_ATOMIC);
-	if (!nc->vlan_filter.vids)
+	if (!nc->vlan_filter.vids) {
+		kfree(nc->mac_filter.addrs);
 		return -ENOMEM;
+	}
 	/* Set VLAN filters active so they are cleared in the first
 	 * configuration state
 	 */
-- 
2.17.1

Re: [PATCH] net/ncsi: prevent memory leak in ncsi_rsp_handler_gc

[Al Viro]

On Wed, Sep 25, 2019 at 04:58:53PM -0500, Navid Emamdoost wrote:
> In ncsi_rsp_handler_gc if allocation for nc->vlan_filter.vids fails the
> allocated memory for nc->mac_filter.addrs should be released.
> 
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> ---
>  net/ncsi/ncsi-rsp.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
> index d5611f04926d..f3f7c3772994 100644
> --- a/net/ncsi/ncsi-rsp.c
> +++ b/net/ncsi/ncsi-rsp.c
> @@ -800,8 +800,10 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr)
>  	nc->vlan_filter.vids = kcalloc(rsp->vlan_cnt,
>  				       sizeof(*nc->vlan_filter.vids),
>  				       GFP_ATOMIC);
> -	if (!nc->vlan_filter.vids)
> +	if (!nc->vlan_filter.vids) {
> +		kfree(nc->mac_filter.addrs);
>  		return -ENOMEM;
> +	}

Again, why is it not a double-free?  IOW, what guarantees that we won't
be calling <greps> ncsi_remove_channel(nc) at later point?

I'm not familiar with that code, so you _might_ be correct in this case,
but you need a lot more analysis in commit message than "should be",
considering the other similar patches from the same source, with the
same level of details in them that had been provably broken.

I don't know what kind of heuristics you are using when looking for
leaks, but they demonstrably give quite a few false positives.

It might be useful (and not just for you) to discuss those heuristics.
Could you go over the patch series you've posted and follow them up
with "here I've decided that we have a leak for such and such reason".
_Including_ the ones where you've ended up with false positives.

Look at it this way: you've posted a lot of statements without any
proofs of their correctness *or* any way to guess what those missing
proofs might've been.  At least some of them are false.  I can try
to prove them from scratch and post such proofs where the statement
happens to be true and counterexamples where it happens to be false.
However, it would've been much more useful to go through what you've
actually done to arrive to those statements, so that mistakes
would not be repeated in new problems.  And those mistakes are very
unlikely to be yours alone, so other people would benefit as well.

Re: [PATCH] net/ncsi: prevent memory leak in ncsi_rsp_handler_gc

[Navid Emamdoost]

On Thu, Sep 26, 2019 at 12:09:38AM +0100, Al Viro wrote:
> On Wed, Sep 25, 2019 at 04:58:53PM -0500, Navid Emamdoost wrote:
> > In ncsi_rsp_handler_gc if allocation for nc->vlan_filter.vids fails the
> > allocated memory for nc->mac_filter.addrs should be released.
> > 
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > ---
> >  net/ncsi/ncsi-rsp.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
> > index d5611f04926d..f3f7c3772994 100644
> > --- a/net/ncsi/ncsi-rsp.c
> > +++ b/net/ncsi/ncsi-rsp.c
> > @@ -800,8 +800,10 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr)
> >  	nc->vlan_filter.vids = kcalloc(rsp->vlan_cnt,
> >  				       sizeof(*nc->vlan_filter.vids),
> >  				       GFP_ATOMIC);
> > -	if (!nc->vlan_filter.vids)
> > +	if (!nc->vlan_filter.vids) {
> > +		kfree(nc->mac_filter.addrs);
> >  		return -ENOMEM;
> > +	}
> 
> Again, why is it not a double-free?  IOW, what guarantees that we won't
> be calling <greps> ncsi_remove_channel(nc) at later point?
> 
> I'm not familiar with that code, so you _might_ be correct in this case,
> but you need a lot more analysis in commit message than "should be",
> considering the other similar patches from the same source, with the
> same level of details in them that had been provably broken.
> 
> I don't know what kind of heuristics you are using when looking for
> leaks, but they demonstrably give quite a few false positives.
> 
> It might be useful (and not just for you) to discuss those heuristics.
> Could you go over the patch series you've posted and follow them up
> with "here I've decided that we have a leak for such and such reason".
> _Including_ the ones where you've ended up with false positives.
> 
> Look at it this way: you've posted a lot of statements without any
> proofs of their correctness *or* any way to guess what those missing
> proofs might've been.  At least some of them are false.  I can try
> to prove them from scratch and post such proofs where the statement
> happens to be true and counterexamples where it happens to be false.
> However, it would've been much more useful to go through what you've
> actually done to arrive to those statements, so that mistakes
> would not be repeated in new problems.  And those mistakes are very
> unlikely to be yours alone, so other people would benefit as well.

Hi Al, thanks for elaborating. 
Here and in some other places when I see an error happening (i.e an errno
is returned here) then the previous allocations need to be release
somehow. The problem is that just by traversing the code using tools
like ctags or elixir I couldn't find any caller to ncsi_rsp_handler_gc
that handles such errnos. By your comment I found that
ncsi_remove_channel can be invoked to remove a channel, but again I
cannot find a clear call path including ncsi_rsp_handler_gc and then
ncsi_remove_channel or any thing like ncsi_unregister_dev (which I can
see is calling ncsi_remove_channel in ncsi-manage.c)
So it would be beneficial if we could somehow handle such cases
where we encounter function pointers on the way of constructing call
graph.

Re: net/ncsi: prevent memory leak in ncsi_rsp_handler_gc

[Markus Elfring]

> > > In ncsi_rsp_handler_gc if allocation for nc->vlan_filter.vids fails the
> > > allocated memory for nc->mac_filter.addrs should be released.
…
> The problem is that just by traversing the code using tools
> like ctags or elixir I couldn't find any caller to ncsi_rsp_handler_gc
> that handles such errnos.

Would you like to collaborate with higher level source code analysis tools?


How do you think about to add the tag “Fixes” here?

Regards,
Markus